nganhkhoa/mether049-malware
1
0
Fork 0
mirror of https://github.com/nganhkhoa/malware.git synced 2024-06-10 21:32:07 +07:00
Code Issues Projects Releases Wiki Activity

Update malware-analysis_ref_and_memo.md

Browse Source
This commit is contained in:
mether049 2020-02-06 00:58:48 +09:00 committed by GitHub
parent 0c09e7296f
commit 5e6752b730
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
malware-analysis_ref_and_memo.md
View File

@ -90,17 +90,17 @@ DFIR,マルウェア解析OSINTに特化したUbuntuベースのディスト
- プロファイルの指定が必要である(メモリダンプがどのシステム(OSデータ構造シンボル)で使用したものなのかを識別するため)
- Volatility 3からは不要とのこと
- 対応しているメモリダンプのフォーマット
> - Raw linear sample (dd)
> - Hibernation file (from Windows 7 and earlier)
> - Crash dump file
> - VirtualBox ELF64 core dump
> - VMware saved state and snapshot files
> - EWF format (E01)
> - LiME format
> - Mach-O file format
> - QEMU virtual machine dumps
> - Firewire
> - HPAK (FDPro)
> - Raw linear sample (dd)
> - Hibernation file (from Windows 7 and earlier)
> - Crash dump file
> - VirtualBox ELF64 core dump
> - VMware saved state and snapshot files
> - EWF format (E01)
> - LiME format
> - Mach-O file format
> - QEMU virtual machine dumps
> - Firewire
> - HPAK (FDPro)
- **ref:**
- [cheet sheet](https://github.com/volatilityfoundation/volatility/raw/gh-pages/docs/VolatilityCheatSheet.pdf)
- [cheet sheet(sans)](https://digital-forensics.sans.org/media/volatility-memory-forensics-cheat-sheet.pdf)
@ -121,13 +121,14 @@ DFIR,マルウェア解析OSINTに特化したUbuntuベースのディスト
- ref:
- [How to extract a RAM dump from a running VirtualBox machine](https://www.andreafortuna.org/2017/06/23/how-to-extract-a-ram-dump-from-a-running-virtualbox-machine/)
- Plugins
|name|default|how to use|description|reference|
|:-|:-|:-|:-|:-|
|malfind|| python vol.py -f zeus.vmem malfind -p 1724|||
|[hollowfind](https://github.com/monnappa22/HollowFind)|-|python vol.py -f infected.vmem --profile=Win7SP0x86 hollowfind|||
|yarascan|| python vol.py -f zeus.vmem yarascan --yara-file=/path/to/rules.yar||||
|yarascan|| python vol.py -f zeus.vmem yarascan --yara-file=/path/to/rules.yar|||
|[malconfscan](https://github.com/JPCERTCC/MalConfScan)|-|python vol.py malconfscan -f images.mem --profile=Win7SP1x64|マルウェアのコンフィグ情報の抽出cuckooと組み合わせることが可能|[wiki](https://github.com/JPCERTCC/MalConfScan/wiki)|
|[malstrscan](https://github.com/JPCERTCC/MalConfScan)|-|python vol.py malstrscan -a -f images.mem --profile=Win7SP1x64||||
|[malstrscan](https://github.com/JPCERTCC/MalConfScan)|-|python vol.py malstrscan -a -f images.mem --profile=Win7SP1x64|||
### Threat hunting
- EQL